A resource object domain such as data repository for computing resources of an enterprise may contain a wide range of information that it may be desirable to protect. In order to provide such protection, an access control system may be implemented. Such an access control system may track and enforce various types of permissions associated with various users and groups and applied to various resource objects. For example, an access control system may deny a request to access a particular resource object based on a permission rule that is specific to the resource object and the requestor, specific to the resource object and to a group of which the requestor is a member, or specific to a parent of the resource object and a group of which the requestor is a member.
In a large-scale resource object domain, when a traditional access control system is employed, the reasons for particular decisions to grant or deny particular requests may not be readily ascertainable by users of the access control system. For example, it may not be readily ascertainable by a user whether his request to access a particular resource object was denied based upon his identity, his membership in a group, or upon some other factor. Consequently, techniques to explain authorization origins for protected resource objects in a resource object domain may be desirable. It is with respect to these and other considerations that the present improvements have been needed.